Skip to content

SYSTEM Cited by 1 source

Himeji (Airbnb authorization)

Airbnb's in-house centralized authorization system. Enforces access controls at the data layer (not just in the UI), so privacy and security decisions are consistent across every service that touches user data.

Design highlights

  • Data-layer enforcement. Permission checks happen where data is accessed, not bolted onto each endpoint. A UI bug or a new service can't accidentally bypass authorization.
  • Relation denormalization at write time. When profile info or permissions change, Himeji precomputes derived relations (configurable per relation type). This shifts work from the read path to the write path, so read-time permission checks are extremely fast and scale as the privacy graph grows more complex. Classic denormalize-for-read pattern applied to ACLs/relations.
  • Configurable denormalization. Which relations are denormalized is itself a policy knob, letting Airbnb tune the write-amplification vs. read-latency trade-off per use case.
  • Least-privileged access by default. Every actor class — fellow guests, hosts, Airbnb support personnel — only sees the minimum data their interaction requires (Source: sources/2026-04-14-airbnb-privacy-first-connections).

Role in the privacy-first identity model

Himeji is the enforcement substrate for the concepts/identity-decoupling work that separates User IDs from Profile IDs and scopes each Profile to a specific context (e.g., a single Airbnb Experience). The identity model defines what "Marie on Goat Yoga" is allowed to see of "Marie on Pasta Making with Nonna"; Himeji is what actually answers those checks at read time.

Seen in

Open questions / not in sources yet

  • Query model / API shape (ReBAC à la Google Zanzibar? ABAC? custom?).
  • Scale numbers (QPS, p99, write amplification from denormalization).
  • Consistency model between the write-time denormalizer and downstream services during permission changes.
  • Referenced prior post: Himeji: a scalable centralized system for authorization at Airbnb — not yet ingested into this wiki.
Last updated · 200 distilled / 1,178 read